- Chinese firms will only have an hour to report severe cyber incidents
- Those who don’t comply face fines
- This comes as organizations around the world face huge ransomware risks
New regulations in China mean that firms now have just an hour to report cybersecurity incidents which would fall into ‘particularly serious’ or ‘serious’ categories.
The Cyberspace Administration of China has rolled out these strict new rules, set to start November 1 to tighten up their security response.
To fall under the highest degree of severity, the incident could disrupt over 50% of the province’s population, or involve the needs of over 10 million people in daily life, like utilities, healthcare, transport, or groceries. It could also involve portals of provincial or higher officials or government agencies, or involve key national news sites.
Quick compliance
‘Serious’ incidents describe those that leak over 10 million citizen’s data, affect 50% of a city’s population, or affect over 1 million people’s lives – as well as incidents which include government portals being taken down for over six hours, or disruptions to critical infrastructure for over an hour, the South China Morning Post reports.
Economic losses of over ¥100 million (around £10 million) can also trigger the high severity classification, as well as anything that would threaten social stability or national security.
Those that suffer a high severity or ‘serious’ incident must report which systems were attacked, the incident type, the preliminary cause, an attack timeline, initial damage reports, and ransom amounts to the authorities within an hour, alongside assessments of potential danger and requests for government support.
Failure to comply with this strict timeline could see penalties awarded to the organization at fault;
“If the network operator reports late, omitted, falsely reported or concealed network security incidents, causing major harmful consequences, the network operator and the relevant responsible persons shall be punished more severely according to law,” the CAC warns.
With an increasing number of ransomware and data exfiltration attacks, China is not the only state introducing new cybersecurity regulations to try and mitigate the risks for citizens. Just a few days ago, the US Department of Defense issues strict new cyber rules for potential contractors, showing the priority of cybersecurity around the world.
